From owner-freebsd-security@FreeBSD.ORG Wed Aug 18 15:56:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98E8016A4CE for ; Wed, 18 Aug 2004 15:56:52 +0000 (GMT) Received: from port-212-202-170-20.reverse.qdsl-home.de (port-212-202-198-207.dynamic.qsc.de [212.202.198.207]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C8FA43D45 for ; Wed, 18 Aug 2004 15:56:51 +0000 (GMT) (envelope-from tommy@port-212-202-170-20.reverse.qdsl-home.de) Received: (qmail 53056 invoked by uid 1001); 18 Aug 2004 15:56:59 -0000 Date: Wed, 18 Aug 2004 17:56:59 +0200 From: Tommy K To: probsd org Message-ID: <20040818155659.GE8241@berlin.homeunix.com> References: <20040818121102.95460.qmail@web52402.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040818121102.95460.qmail@web52402.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: chfn, date, chsh INFECTED according to chkrootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Aug 2004 15:56:52 -0000 Hello, i have written the author of chkrootkit this mail. Tommy On Fri, Jul 02, 2004 at 01:20:50PM +0200, Tommy K wrote: > Hello, > > i have tested chkrootkit on many FreeBSD 4.10** maschines and all of the > tested machines have the same INFECTED things. > > I think that is a bug in chkrootkit > > Yes, you right. I will fix it in the next version. Thanks a lot for you bug report and interest in chkrootkit, ./nelson -murilo > # chkrootkit > ROOTDIR is `/' > Checking `amd'... not infected > Checking `basename'... not infected > Checking `biff'... not infected > Checking `chfn'... INFECTED > Checking `chsh'... INFECTED > Checking `cron'... not infected > Checking `date'... INFECTED > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > > > Hopefully it could help you! > > Regards Tommy > > -- > Das B> Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 > DFB5 > > Thomas Kamann | Auszubildener - Anwendungsentwicklung On Wed, Aug 18, 2004 at 05:11:02AM -0700, probsd org wrote: > I ran chkrootkit ( v. chkrootkit-0.43 ) earlier and > noticed that chfn, date, and chsh showed as being > infected. I remember reading post from the past that > right now chkrootkit is giving alot of false > positives, so I suspected that these 3 binaries are > not bad. > > However, to be on the safe side, I deleted the 3 > binaries, removed /usr/src and did a 'make world' to > 4.10-STABLE. > > But, chfn, cfsh, and date are stilling showing as > infected. > > Is my assumption that I am seeing a false positive > correct, or anyone know of an exploit that would > affect these 3 binaries ( and even after a 'make > world' from clean src )? > > Michael > > > > > > > __________________________________ > Do you Yahoo!? > New and Improved Yahoo! Mail - 100MB free storage! > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Das Büro am Draht GmbH | Blücherstraße 22 | D-10961 Berlin http://www.dasburo.com | http://tom.dasburo.com Key fingerprint = BFED 7E4C 8B67 64C8 B210 89D1 5678 1A02 7354 DFB5 Thomas Kamann | Auszubildener - Anwendungsentwicklung